Home > Endpoint Management > Monitoring and Reporting > Activation Lock for Apple Devices

Activation Lock for Apple Devices

Activation Lock is a security feature on Apple devices which prompts for Apple ID credentials after a device is factory reset. This makes it difficult for someone to use or sell an Apple device if it is lost or stolen. 

 

Systems Manager can manage Activation Lock state on Apple devices. This functionality requires supervision to be enabled on the target device.  If an Apple device is supervised, administrators have the following capabilities:

  • Allow/Prevent Activation Lock
  • Force enable MDM Activation Lock (also requires automated device enrollment via Apple's Device Enrollment Program)
  • Clear the Activation Lock state remotely

Allow Activation Lock

End users can enable Activation Lock when signing into Find My iPhone/iPad on the device with their Apple ID credentials.  However, this ability is automatically disabled if the device is supervised at the time of enrollment. 

 

To allow end users to enable Activation Lock with Find My iPhone:

  1. Go to Manage > Settings 
  2. Create a "Privacy and Lock" configuration profile 
  3. Check the box for "Allow Activation Lock"
  4. Scope the configuration profile to the desired tags and save
    clipboard_e7c2449b76b409954f7f48e6b0f6b497e.png 

Warning: For devices enrolled with DEP before August 12, 2019, "Allow Activation Lock" may have been enabled by default. If Activation Lock is enabled after wiping a device, try one of the following steps:

Enable MDM Activation Lock

When a supervised iOS device is enrolled using automated device enrollment (DEP), then Systems Manager can force enable Activation Lock.  using the Apple ID of an Apple Business Manager or Apple School Manager administrator.  This method provides administrators with the added reassurance that they can reactivate a device with known credentials if it is wiped while Activation Lock is enabled. 

 

To enable MDM Activation Lock automatically at the time of DEP enrollment:

  1. Go to Manage > Settings 
  2. Create a "Privacy and Lock" configuration profile 
  3. Check the box for "Allow MDM Activation Lock"
  4. Scope the configuration profile to the desired tags and save

clipboard_e39e8787f0105d87179a6964cb2b2160a.png

 

MDM Activation Lock can also be enabled on a per device basis for DEP-enrolled iOS devices.  Go to the Systems Manager > Devices list and click on the target device to access its device details.  Under the MDM Commands section, the Enable Activation Lock option will send a command to Apple to enable Activation Lock on the device.  

clipboard_e2030e2b88370b5c636b3fef0840e555c.png

Warning: For devices enrolled with DEP before August 12, 2019, "Allow MDM Activation Lock" may have been enabled by default. If Activation Lock is enabled after wiping a device, try one of the following steps:

  • Enter Apple ID username and password of the linked Apple Business Manager or Apple School Manager administrator.
  • Use an Activation Lock bypass method

Checking Activation Lock Status

Quickly checking all devices' current Activation Lock state is easy in Systems Manager. Go to the Systems Manager > Devices list and add the column (+) for Activation Lock: 

Screen Shot 2019-06-10 at 1.11.31 PM.png

Activation Lock status can also be viewed for a specific device on the device details page under the Management section.  The two statuses are:

  • Activation Lock - Activation Lock status if enabled via Find my iPhone/iPad on the device. If status is Enabled, Activation Lock may be linked to the end user's Apple ID.  
  • MDM Activation Lock - Activation Lock status if enabled via Systems Manager command.  If status is Enabled, Activation Lock may be linked to the Apple ID of Apple Business Manager or Apple School Manager administrator account.

clipboard_efda19c98adc01cd7bb581eae19bcfd04.png

Bypass Activation Lock

Systems Manager has a feature called Activation Lock Bypass to circumvent the Apple Activation Lock. This method utilizes unique "bypass codes" that are created when Activation Lock is enabled; each code is stored in Systems Manager.  The bypass codes can be used to authorize clearing Activation Lock on a device in situations where the linked Apple ID credentials are unknown. Bypass Activation Lock can be performed on a single device at a time, or for all enrolled devices at once. 

Prerequisites 

Bypassing Activation Lock requires that devices meet a few prerequisites. To remotely bypass Activation Lock, the following criteria must be met:

  • The target device must be enrolled in a Systems Manager network
  • The target device is running iOS 7.1 or greater
  • The target device must be supervised, using Apple Configurator or Apple's DEP 
  • Activation Lock is enabled via MDM or Find my iPhone/iPad on the target device

Bypass Activation Lock - Single Device


Once the prerequisites are met, the Activation Lock Bypass tools will appear under the MDM commands section of the device details page.

Note: The device must be supervised and enrolled in Systems Manager prior to Find my iPad/iPhone being enabled.

clipboard_e1247955f7789602851d26b858b885a09.png

 

The Clear Activation Lock command automatically releases the iOS device from an Activation Locked state using the last known bypass code(s). It may be necessary to tap Back on the device before being able to proceed with activation if the device is already factory reset.

 

The Show bypass code command reveals the unique activation lock bypass code received by Cisco Meraki from Apple. If the device has already been factory reset and reactivated, at the Activate iPhone/iPad screen, administrators can manually enter the bypass code (without dashes) in the password field and leave the Apple ID field blank

 

 

clipboard_ebcbd7b3bed76d626f1a2e14c52ea0a48.png

 

Bypass Activation Lock - In Bulk

If Activation Lock is enabled on multiple devices, and the devices meet all of the prerequisites, Systems Manager can attempt to bypass Activation Lock for all target devices at once. Click the checkbox to select devices in Systems Manager > Devices. Then choose Command > Bypass Activation Lock

massal.png

Only devices that meet the prerequisites and currently have Activation Lock enabled will be attempted:

Screen Shot 2019-06-10 at 1.18.02 PM.png

activationlock-yea.png

Note: Mass Bypass commands are enqueued within Meraki Systems Manager and then sent to Apple. A "Status: Success" on this modal means that the job was successfully enqueued to be bypassed in Meraki Systems Manager. The requests processing between Meraki and Apple may take several minutes after this, depending on the number of devices you are attempting to bypass. Check back on the devices list in a few minutes to confirm that Activation Lock status changes from Enabled to Disabled. If you are having a problem with a particular device, try "Bypass Activation Lock - Single Device" to view any errors on the bypass attempt returned from Apple. 

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1231

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community